Securing Smart Cities: Hybrid CISSP–ISO Governance
Thesis by Ansar Abdullah, Master of Computer Science (Cybersecurity), University Malaya 2026.
Supervisor: Dr Azah Anir Norman. A hybrid model weaves expert judgment into ISMS.
Abstract — Problem & Proposal
Problem
IoT and AI increase attack surface for smart cities.
CISSP Role
Provides adaptive, expert risk management across eight domains.
ISO/IEC 27001 Role
Provides ISMS structure, policies, and audit trails.
Hybrid Model
Combines human agility with auditable processes for resilience.
Case studies: Singapore, Barcelona, Kuala Lumpur.
Why a Hybrid Model?
Speed
CISSP enables rapid triage of novel threats.
Accountability
Ensures repeatable, auditable controls.
Scale
Integration embeds expertise into institutional memory.
Chapter 1 — Background
City Data Flows
Every sensor and service exchanges data across networks.
That creates many new attack vectors for adversaries.
Two Current Defenses
CISSP: human expertise, fast but person-dependent.
ISO 27001: process-driven ISMS, repeatable but slower.
Key Risks & Failures
Supply-Chain Attacks
Malicious updates hide in trusted vendor code.
Fragmented Governance
Multiple agencies create cyber-silos and weak links.
Post-Quantum Threats
Harvest-now, decrypt-later risks demand crypto-agility.
CISSP & ISO/IEC 27001 Compared
CISSP
Individual competence across eight security domains.
ISO/IEC 27001
Organizational ISMS with PDCA and Annex A controls.
Integration turns expert judgment into auditable practice.
Conceptual Framework & Workflow
The workflow embeds CISSP expertise into ISO controls at scale.
Case Studies Overview
Singapore
High maturity; expert-led SOCs plus mature ISMS.
Barcelona
Strong privacy and ISO adoption; needs agility.
Kuala Lumpur
Fragmented across 27 agencies; hybrid scaling required.
Comparative analysis tests the hybrid model across contexts.
Findings & Recommendations
Embed Experts
Place CISSP professionals in ISMS steering and SOCs.
Flexible ISMS
Allow rapid scoping updates for novel IoT and AI risks.
Supplier Controls
Mandate secure-by-design clauses and audit rights.
Conclusion & Future Directions
Thesis Conclusion
Hybrid CISSP–ISO governance balances agility and accountability.
Future Research
Pilot hybrids, measure response times and public trust metrics.
Global Need
Interoperable standards for device baselines and incident sharing.
